[PHP-CVS] svn: /php/php-src/ branches/PHP_5_3/NEWS branches/PHP_5_3/Zend/zend_API.c trunk/Zend/zend_API.c

Tue, 11 May 2010 03:41:36 -0700 

dmitry                                   Tue, 11 May 2010 10:41:19 +0000

Revision: http://svn.php.net/viewvc?view=revision&revision=299240

Log:
Fixed a possible memory corruption because of unexpected call-time pass by 
refernce and following memory clobbering through callbacks.

Changed paths:
    U   php/php-src/branches/PHP_5_3/NEWS
    U   php/php-src/branches/PHP_5_3/Zend/zend_API.c
    U   php/php-src/trunk/Zend/zend_API.c

Modified: php/php-src/branches/PHP_5_3/NEWS
===================================================================
--- php/php-src/branches/PHP_5_3/NEWS   2010-05-11 10:03:16 UTC (rev 299239)
+++ php/php-src/branches/PHP_5_3/NEWS   2010-05-11 10:41:19 UTC (rev 299240)
@@ -23,6 +23,9 @@
 - Fixed very rare memory leak in mysqlnd, when binding thousands of columns.
   (Andrey)

+- Fixed a possible memory corruption because of unexpected call-time pass by
+  refernce and following memory clobbering through callbacks.
+  Reported by Stefan Esser (Dmitry)
 - Fixed a possible memory corruption in addcslashes(). Reported by Stefan
   Esser (Dmitry)
 - Fixed a possible stack exhaustion inside fnmatch(). Reported by Stefan

Modified: php/php-src/branches/PHP_5_3/Zend/zend_API.c
===================================================================
--- php/php-src/branches/PHP_5_3/Zend/zend_API.c        2010-05-11 10:03:16 UTC 
(rev 299239)
+++ php/php-src/branches/PHP_5_3/Zend/zend_API.c        2010-05-11 10:41:19 UTC 
(rev 299240)
@@ -412,6 +412,12 @@
                                        case IS_DOUBLE:
                                        case IS_BOOL:
                                                convert_to_string_ex(arg);
+                                               if (UNEXPECTED(Z_ISREF_PP(arg) 
!= 0)) {
+                                                       /* it's dangerous to 
return pointers to string
+                                                          buffer of referenced 
variable, because it can
+                                                          be clobbered throug 
magic callbacks */
+                                                       SEPARATE_ZVAL(arg);
+                                               }
                                                *p = Z_STRVAL_PP(arg);
                                                *pl = Z_STRLEN_PP(arg);
                                                break;

Modified: php/php-src/trunk/Zend/zend_API.c
===================================================================
--- php/php-src/trunk/Zend/zend_API.c   2010-05-11 10:03:16 UTC (rev 299239)
+++ php/php-src/trunk/Zend/zend_API.c   2010-05-11 10:41:19 UTC (rev 299240)
@@ -418,6 +418,12 @@
                                        case IS_DOUBLE:
                                        case IS_BOOL:
                                                convert_to_string_ex(arg);
+                                               if (UNEXPECTED(Z_ISREF_PP(arg) 
!= 0)) {
+                                                       /* it's dangerous to 
return pointers to string
+                                                          buffer of referenced 
variable, because it can
+                                                          be clobbered throug 
magic callbacks */
+                                                       SEPARATE_ZVAL(arg);
+                                               }
                                                *p = Z_STRVAL_PP(arg);
                                                *pl = Z_STRLEN_PP(arg);
                                                break;


-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to